IBM Support

How do I install the Bouncy Castle JCE for ITNCM v6.4.2?

How To


Summary

Installing the Bouncy Castle JCE may be necessary if any of your devices encounter restrictions with the IBM JCE.

Steps

Go to https://www.bouncycastle.org and locate the latest signed provider JARs for JDK7/JDK1.7. For example:
image 2771
As of writing the URL for the JARs is https://www.bouncycastle.org/latest_releases.html and the files you need to download are:
  • bcprov-jdk15on-165.jar 
  • bcprov-ext-jdk15on-165.jar
Transfer these JARs to the home directory of the user that installed ITNCM. This should be done for all ITNCM servers that process UOWs.
On the ITNCM servers, perform the following commands to copy the JARs to ncm/jre/lib/ext:
 netcool$ cd /opt/IBM/tivoli/netcool/ncm/jre/jre/lib/ext
 netcool$ cp ~/bcprov-jdk15on-165.jar .
 netcool$ cp ~/bcprov-ext-jdk15on-165.jar .
Now that the JARs are in place, we will also have to edit java.security to include them in the list of JCE providers ITNCM will use. Use commands such as the following to begin editing this file:
 netcool$ cd /opt/IBM/tivoli/netcool/ncm/jre/jre/lib/security
 netcool$ cp java.security java.security.backup
 netcool$ vi java.security 
Look for a list of lines with security.provider.X where X is some number, i.e.
security.provider.1=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
...
At the top of the list add the line:
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
Then for all other lines in the list, increment the X in security.provider.X by 1. The end result should be similar to:
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.2=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
...
Finally restart ITNCM for the Bouncy Castle provider to take effect.
You can verify that the Bouncy Castle JCE has taken effect by running an AutoDiscovery against the server ITNCM is installed on. Create a text file 127.0.0.1.txt in directory /opt/IBM/tivoli/netcool/ncm/autodiscovery:
netcool$ cd /opt/IBM/tivoli/netcool/ncm/autodiscovery
netcool$ vi 127.0.0.1.txt
The contents of 127.0.0.1.txt should be:
a:doesnotmatter
p:doesnotmatter
e:doesnotmatter
d:./bcresults
r:doesnotmatter
127.0.0.1
Edit ad.properties so that SSH port 22 is used for the Discovery process:
netcool$ cp ad.properties ad.properties.backup
netcool$ vi ad.properties
Edit connectionType and sshPort so that their values are set as shown below:
connectionType=ssh
sshPort=22
Edit autodiscover.sh so that MindTerm logs the JCE providers it may use:
netcool$ vi autodiscover.sh
Locate the following line:
 /opt/IBM/tivoli/netcool/ncm/jre/bin/java -Dinstall.dir=${INSTALL_DIR} -classpath ${CLASSPATH}  com.intelliden.tools.autodiscovery.RunAutoDiscovery ${PARAM1} ${PARAM2}
And add in the command line option -Dmindterm.jce.debug=yes, e.g.
 /opt/IBM/tivoli/netcool/ncm/jre/bin/java -Dinstall.dir=${INSTALL_DIR} -Dmindterm.jce.debug=yes -classpath ${CLASSPATH} com.intelliden.tools.autodiscovery.RunAutoDiscovery ${PARAM1} ${PARAM2}
Finally run autodiscover.sh and inspect the additional logging produced on the console to ensure it contains provider=BC, e.g.
netcool$ ./autodiscover.sh 127.0.0.1.txt
...
Added JCE: org.bouncycastle.jce.provider.BouncyCastleProvider
getCipher(AES/CBC/NoPadding): provider=BC version 1.58
getCipher(CAST5/CBC/NoPadding): provider=BC version 1.58
getKeyPairGenerator(DH): provider=BC version 1.58
Initializing PRNG
Using PRNG: java.security.SecureRandom@f86b1aff provider: BC version 1.58
getKeyPairGenerator(EC): provider=BC version 1.58
getKeyAgreement(ECDH): provider=BC version 1.58
getSignature(SHA512/ECDSA): provider=BC version 1.58
getMD(SHA-256): provider=BC version 1.58
getKeyPairGenerator(EC): provider=BC version 1.58
getKeyFactory(EC): provider=BC version 1.58
getKeyAgreement(ECDH): provider=BC version 1.58
getSignature(SHA256/ECDSA): provider=BC version 1.58
getKeyPairGenerator(EC): provider=BC version 1.58
getKeyFactory(EC): provider=BC version 1.58
getCipher(AES/CTR/NoPadding): provider=BC version 1.58
getMac(HmacSHA1): provider=BC version 1.58
getCipher(AES/CTR/NoPadding): provider=BC version 1.58
getMac(HmacSHA1): provider=BC version 1.58
...

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7UH9","label":"Tivoli Netcool Configuration Manager"},"ARM Category":[],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 March 2021

UID

ibm16173331

Page Feedback